Cyber Resilience

CVE-2025-24891

Critical

Published: 31 January 2025

Published
31 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0013 31.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24891 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-24891 is a path traversal vulnerability (CWE-22, CWE-276) affecting Dumb Drop, a file upload application. Published on 2025-01-31, it enables users with permission to upload files to the service to overwrite arbitrary system files through improper path handling. The vulnerability carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low attack complexity, and potential for high impacts across confidentiality, integrity, and availability.

The attack scenario targets users able to interact with the upload functionality, which may include wholly unprivileged external attackers if the service runs without authentication enabled, or those possessing a PIN otherwise. Exploitation occurs over the network and requires user interaction, allowing attackers to leverage the default root privileges of the container to overwrite any system files without restriction. This can enable injection of malicious payloads into files executed on schedule or triggered by service actions, potentially granting full root access.

Mitigation details are provided in the Dumb Drop GitHub security advisory (GHSA-24f2-fv38-3274) and a related commit (cb586316648ccbfb21d27b84e90d72ccead9819d), which address the path traversal issue.

EU & UK References

Vulnerability details

Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary system files. As the container runs as root by default, there is no limit…

more

to what can be overwritten. With this, it's possible to inject malicious payloads into files ran on schedule or upon certain service actions. As the service is not required to run with authentication enabled, this may permit wholly unprivileged users root access. Otherwise, anybody with a PIN.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Path traversal in public-facing file upload app allows arbitrary system file overwrites from network, directly enabling public app exploitation (T1190), root privilege escalation in container (T1068), and ingress of malicious payloads to arbitrary locations for later execution (T1105).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29870Shared CWE-22
CVE-2025-0542Shared CWE-22, CWE-276
CVE-2025-62630Shared CWE-22
CVE-2025-60786Shared CWE-22
CVE-2025-25535Shared CWE-276
CVE-2025-27590Shared CWE-22
CVE-2026-41180Shared CWE-22
CVE-2025-12422Shared CWE-22
CVE-2026-7398Shared CWE-22
CVE-2026-49157Shared CWE-276

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal exploitation by validating and sanitizing file paths in upload requests to block sequences like '../'.

prevent

Mitigates impact of successful path traversal by enforcing least privilege, ensuring the container does not run as root and cannot overwrite arbitrary system files.

prevent

Requires identification and authentication for non-organizational users accessing the upload service, preventing wholly unprivileged exploitation when authentication is disabled by default.

References